Thursday, July 02, 2009

ZeuS: PC Invader Costs Kentucky County $415,000

Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks.

Bullitt County Attorney Walt Sholar said the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country (some individuals received multiple payments). On June 29, the county's bank realized something was wrong, and began requesting that the banks receiving those transfers start reversing them, Sholar said.

"Our bank told us they would know by Thursday how many of those transactions would be able to be reversed," Sholar said. "They told us they thought we would get some of the money back, they just weren't sure how much."

Sholar said the unauthorized transfers appear to have been driven by "some kind computer virus." Security Fix has been communicating with a cyber crime investigator who is familiar with the case. What follows is a description of the malicious software used, a blow-by-blow account of how the attackers worked the heist, as well interviews with a couple of women hired to receive the stolen funds and forward the money on to fraudsters in Ukraine. This case also serves as an example of how e-mail scams can be used to dupe unknowing victims in serving as accomplices in their plan.

According to my source, who asked not to be identified because he's still investigating different sides of this case, the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.